$OpenBSD: patch-lib_puppet_network_http_rack_rest_rb,v 1.1 2016/05/27 19:10:39 sebastia Exp $

Make puppet trusted facts available when running with unicorn behind
nginx or apache
See https://tickets.puppetlabs.com/browse/PUP-6366

--- lib/puppet/network/http/rack/rest.rb.orig	Fri May 27 10:11:44 2016
+++ lib/puppet/network/http/rack/rest.rb	Fri May 27 10:11:50 2016
@@ -92,7 +92,22 @@ class Puppet::Network::HTTP::RackREST
     # NOTE: The SSL_CLIENT_CERT environment variable will be the empty string
     # when Puppet agent nodes have not yet obtained a signed certificate.
     if cert.nil? || cert.empty?
-      nil
+      # When running with unicorn, the SSL_CLIENT_CERT variable is not available
+      # in the environment, therefore we have to pass a header: 'X-SSL-Client-Cert'
+      cert = request.env['HTTP_X_SSL_CLIENT_CERT']
+      if cert.nil? || cert.empty?
+        nil
+      else
+        # in contrast to the environment variable, the client cert is passed in
+        # as single string, therefore restore the certificate to a valid pem
+        # encoded certificate
+        cert.gsub!(/ /, "\n")
+        cert.gsub!(/BEGIN\nCERT/, "BEGIN CERT")
+        cert.gsub!(/END\nCERT/, "END CERT")
+        cert = Puppet::SSL::Certificate.from_instance(OpenSSL::X509::Certificate.new(cert))
+        warn_if_near_expiration(cert)
+        cert
+      end
     else
       cert = Puppet::SSL::Certificate.from_instance(OpenSSL::X509::Certificate.new(cert))
       warn_if_near_expiration(cert)
